RD134 - 2012 Annual Report on Information Security (IT) in the Commonwealth

Executive Summary:
This 2012 Annual Report on Information Security (IT) in the Commonwealth is the fifth annual report by the Chief Information Officer of the Commonwealth (CIO) to the Governor and the General Assembly. As directed by § 2.2-2009 (C) of the Code of Virginia, the CIO is required to identify those agencies that have not implemented acceptable policies, procedures and standards to control unauthorized uses, intrusions or other security threats . In accordance with § 2.2-2009 (C), the scope of this report is limited to independent and executive branch agencies, including Tier I institutions of higher education. This report does not address Tier II and Tier III institutions that have been statutorily exempted from compliance with Commonwealth policies and standards.

To fulfill his information security duties under § 2.2-2009, the CIO has established a Commonwealth Security and Risk Management (CSRM) directorate within the Virginia Information Technologies Agency (VITA). CSRM is led by the Commonwealth’s Chief Information Security Officer (CISO). This report has been prepared by CSRM on behalf of the CIO, and it follows a baseline created by CSRM in 2008 to assess the strength of agency information technology (IT) security programs that have been established to protect Commonwealth data and systems. A detailed listing of agencies and their specific security information concerns can be found in the appendix.

The last year has not seen any noticeable improvement in agency IT security programs. Currently, 58 percent of agencies have not implemented acceptable policies, standards and procedures to control unauthorized uses, intrusions and other security threats. The failure of implementation results in unknown levels of risk in the Commonwealth IT environment. Additionally, the three agencies that have not yet transformed to the new IT infrastructure continue to operate at an elevated level of risk to both the agency and the Commonwealth and expend unnecessary resources. Since agencies are not applying the proper resources to meet the current IT security audit and information security program requirements, CSRM will investigate introducing a standard to enforce information security and information security audit programs.

Agencies are not submitting documentation indicating whether compensating controls have been implemented for open findings or what amount of residual risk is identified. As a result, these agencies are unable to identify how much risks they are subject to. The audit and risk documentation processes are two important ways that agency IT risks are identified to agency management. Agencies can use this information when making decisions concerning prioritization and allocation of resources. CSRM is investigating methods to identify and report the amount of agency risk.

CSRM reviewed the evaluation of IT security programs and identified areas for improvement. The existing evaluation relies primarily on submission of documentation that show whether the agency complied with specified requirements. CSRM is moving to a risk-based evaluation of the information security program. Over the next year, CSRM will introduce methods to identify the most significant IT risks that affect the Commonwealth and methods to prioritize the remediation of those risks.

Security is not being adequately included in the lifecycle planning of IT systems. End-of-life planning for IT systems and applications is not sufficiently addressing the need to upgrade hardware and software that is no longer supported by a vendor. Continued use of unsupported hardware and software is costly and puts Commonwealth information at a high risk level. In addition to the risks posed by vulnerabilities in unsupported systems, the talent pool for antiquated systems and applications diminishes over time, leading to even higher costs to maintain the system. CSRM will investigate implementing processes to require that agencies provide plans to update or replace out of support or soon to be out-of -support IT systems.

Survey results, as well as the status of the information security programs as a whole, indicate that agency ISOs and information security programs do not have adequate resources. Agency security personnel and management are not receiving enough security training and education to understand the information security risk carried by the agency. Unless agencies understand the impact of the risk carried, decisions could be made that potentially result in adverse consequences. CSRM is investigating how to account for resource allocation as part of agency remediation plans.

Lack of improvement in the security posture of the Commonwealth IT environment can lead to numerous undesirable outcomes. Approximately 10 percent of reported business functions and their corresponding systems impact the safety of Commonwealth citizens and employees. An information security event impacting a system supporting these business functions could result in adverse impact on the security of data, safety of those depending on the business function and Commonwealth finances. A significant data breach, such as the 2012 data breaches in South Carolina and Utah, results in significant costs. It is estimated that the South Carolina Department of Revenue data breach will cost that state more than $20 million and the Utah Department of Health data breach is estimated to cost between $2 million and $10 million. Unless the Commonwealth improves its overall IT security posture, Virginia could experience a similar breach.